ipv4: don't crash with corrupted control messages

Change-Id: I474b5832672e699f1eba1487f7f793bed3c1ff83 Reviewed-on: https://go-review.googlesource.com/45113 Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2026-03-31 18:37:08 +09:00 · 2017-06-08 12:04:35 +09:00
parent 59a0b19b55
commit ec5a957fe4
2 changed files with 26 additions and 5 deletions
--- a/ipv4/control.go
+++ b/ipv4/control.go
@@ -83,14 +83,14 @@ func (cm *ControlMessage) Parse(b []byte) error {
 		if lvl != iana.ProtocolIP {
 			continue
 		}
-		switch typ {
-		case ctlOpts[ctlTTL].name:
+		switch {
+		case typ == ctlOpts[ctlTTL].name && l >= ctlOpts[ctlTTL].length:
 			ctlOpts[ctlTTL].parse(cm, m.Data(l))
-		case ctlOpts[ctlDst].name:
+		case typ == ctlOpts[ctlDst].name && l >= ctlOpts[ctlDst].length:
 			ctlOpts[ctlDst].parse(cm, m.Data(l))
-		case ctlOpts[ctlInterface].name:
+		case typ == ctlOpts[ctlInterface].name && l >= ctlOpts[ctlInterface].length:
 			ctlOpts[ctlInterface].parse(cm, m.Data(l))
-		case ctlOpts[ctlPacketInfo].name:
+		case typ == ctlOpts[ctlPacketInfo].name && l >= ctlOpts[ctlPacketInfo].length:
 			ctlOpts[ctlPacketInfo].parse(cm, m.Data(l))
 		}
 	}
--- a/ipv4/control_test.go
+++ b/ipv4/control_test.go
@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipv4_test
+
+import (
+	"testing"
+
+	"golang.org/x/net/ipv4"
+)
+
+func TestControlMessageParseWithFuzz(t *testing.T) {
+	var cm ipv4.ControlMessage
+	for _, fuzz := range []string{
+		"\f\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00",
+		"\f\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00",
+	} {
+		cm.Parse([]byte(fuzz))
+	}
+}